Fake AV, SEO Poisoning Top Malware Threats in April

Attackers increasingly focused on fake antivirus and black-hat SEO techniques to target victims on the Web in April.

The volume of malware
continued to increase in April as online scammers and malware distributors took
advantage of major events according to security experts. Fake antivirus
software and poisoned image search links were particularly prevalent in April.
There were over 73,000 new
variants of malware released daily in April, a 26 percent increase over April
2010, GFI Software found in its monthly analysis released May 16.
Cyber-criminals exploited several high-profile events, including the U.K. Royal
Wedding of Prince William and Kate Middleton, the Easter holiday, the
anniversary of Yuri Gagarin becoming the first man in space and the release of
President Barack Obama's birth certificate.

Seven of the top 10 malware
threats were Trojans, according to GFI's top 10 malware list for the month.
Trojan.Win32.Generic!BT, a generic malware classification that encompasses a
variety of Trojans, continued to be the biggest threat, accounting for over 20
percent of total malware detected. The Zeus/Spyeye Trojan and fake antivirus
were also part of the top 10.

A Trojan exploiting Autorun
on Windows PCs continued to make the rounds in April. Microsoft noted in its
recent Security
Intelligence Report that autorun worms don't affect Windows 7 systems, but
unpatched versions of Windows XP remained vulnerable. Microsoft also noted the
rise of fake security scareware in its report.
Attackers aggressively
pushed fake antivirus software to victims in April, GFI Software found. Users
were directed to malicious Websites that purported to contain exclusive
content, such as videos and images. Once users were tricked into downloading
and installing fake software, the rogue security program claimed to find
malware and demanded users upgrade to remove the threats.
Malware writers employ techniques
that alter the rogue executable to continuously create new variants within the
scareware family, according to Sophos. One such family, called the "Security
Tool," produces a different executable nearly every minute, so users hitting
the malicious site repeatedly wind up downloading a different sample each time.
Many of the fake antivirus programs are essentially the same product but
skinned differently and have names that sound similar to legitimate tools, such
as "Internet Security 2010," "XP Defender" and "Malware Defense."

While fake antivirus scams
for Windows PCs are common, April also saw one masquerading as an antivirus for
the Mac OS X that was called MACDefender.
Another popular attack
vector in April involved black-hat search-engine optimization techniques.
Attackers hijacked legitimate search results with links to malicious pages. In
April, poisoned links appeared in searches for printable Easter cards and Royal
Wedding coverage. Users searching for video were directed to malicious pages
promising streaming video, but in actuality downloading malware (usually fake
antivirus) onto the computer, GFI said.
Many of the pages used in SEO-poisoning
attacks are hosted within a large number of compromised, legitimate sites,
Fraser Howard, a principal virus researcher at Sophos Labs, wrote on the Naked
Security blog. Hijacked topics and keywords include "pretty much anything,"
and range from the "predictable," such as Lady Gaga's shoes and Justin Bieber,
to "unusual," such as ancient Inca masks, according to Howard. Many of the SEO-poisoned
links point to pages constructed and managed using the Blackhole kit, available
for sale on underground forums.
GFI warned that SEO
poisoning would remain a big threat in May, with events such as the killing of Osama
bin Laden, the Indianapolis 500 auto race, the birthday of the late author
Douglas Adams and college graduation season. Any of these events could be prime
targets for SEO poisoning and users should be wary of unsolicited emails or Web
offers.